The present invention relates generally to methods and an apparatus for providing secure remote access to a computer, and more specifically to providing secure access to a computer behind a firewall.
The Internet is a vast, globe-spanning collection of interconnected computer networks and the associated programs, protocols, and standards that enable these computers to communicate with each other. The World Wide Web (xe2x80x9cwebxe2x80x9d), a popular application of the Internet, relies on some of these protocols and standards to make vast collections of digital content accessible via the Internet. Because basic web technologies are relatively simple, anyone may readily publish content ranging from simple text to demanding multi-media presentations.
The globe-spanning nature of the Internet permits a user to contact any computer connected to the Internet from any other computer connected to the Internet. This fundamental property of the Internet, combined with the ease of publishing content on the web, is largely responsible for the explosive growth of the Internet as a medium of communication.
An unfortunate side effect of the globe-spanning nature of the Internet is that any computer connected to the Internet may be a target for attack by meddlesome individuals from anywhere in the world. Indeed, there are countless reports of individuals gaining unauthorized access to computers and other devices connected to the Internet. Conventional wisdom, therefore, has been that sensitive, proprietary, or confidential information should not be stored on computers connected to the Internet. To do otherwise may expose these computers to outside attacks and risk compromising any sensitive data they contain.
However, because of the rapid growth in business-to-business electronic commerce, it is often desirable or even necessary to be able to share sensitive data via the Internet. For example, a company may need to share financial projections with potential investors, or a manufacturing partner may need design specifications for a new product. One way to protect such sensitive data is to use a firewall to restrict access to the computers storing the sensitive data.
A firewall is a combination of hardware and/or software that serves as a controlled link between one network, such as the Internet, and a protected network, such as a corporate Intranet. As used herein, a network referred to as xe2x80x9cprotectedxe2x80x9d or being xe2x80x9cinsidexe2x80x9d or xe2x80x9cbehindxe2x80x9d a firewall refers to a network that is being protected by the firewall. Conversely, a network referred to as xe2x80x9cunprotectedxe2x80x9d or xe2x80x9cless-protectedxe2x80x9d or being xe2x80x9coutsidexe2x80x9d a firewall refers to a network that is not being protected by the firewall. For instance, a corporate Intranet is generally behind a firewall, whereas the Internet is outside the firewall.
Generally, a firewall examines packets arriving at the firewall and processes the packets according to a set of rules and policies. For example, a firewall may implement a policy of forwarding packets that originate behind the firewall but may deny or drop packets originating from outside the firewall. Rules may then provide for limited exceptions to the more general policies. A common rule is to allow a packet originating outside the firewall to pass through if it is a response to a packet that originated within the protected network. A rule such as this is necessary for the Internet services that use the Transmission Control Protocol (TCP), because TCP requires a receiving computer to send acknowledgments of data that has been received.
Another common rule is to allow packets from specific IP addresses or IP domains to pass through the firewall. Such a rule may be used, for example, to provide trusted individuals with access to proprietary data stored on a computer behind a firewall. However, this type of rule is, in a sense, a small hole in a firewall that lets packets pass through. Such holes are potential weak spots that may be exploited to gain unauthorized access to a computer and to any confidential information it may contain. For example, the originating IP address of a packet may be forged using a technique known as xe2x80x9csource spoofingxe2x80x9d to make a packet appear to come from a xe2x80x9cfriendlyxe2x80x9c IP address or domain when in fact the packet originated elsewhere. Source spoofing is only one form of attack that may be used in an attempt to gain unauthorized access; many other methods of exploiting weaknesses in firewall security are known in the art, and new forms of attack are continually being discovered.
Therefore, in view of the forgoing, it would be desirable to provide methods and an apparatus for securing a firewall against common forms of attack.
It would also be desirable to provide methods and an apparatus for allowing packets to pass through a firewall without weakening firewall protection.
In addition, it would be desirable to provide methods and an apparatus for providing secure access through a firewall.
It is, therefore, an object of the present invention to provide methods and an apparatus for securing a firewall against common forms of attack.
It is also an object of the invention to provide methods and an apparatus for allowing packets to pass through a firewall without weakening firewall protection.
It is another object of the invention to provide methods and an apparatus for providing secure access through a firewall.
These and other objects of the present invention are achieved by providing a multiplexer and a connection manager. The connection manager, located behind a firewall, establishes an outgoing connection to the multiplexer and sends the multiplexer a request message. The multiplexer, which is located outside of the firewall, receives and queues the request message, keeping the connection open.
A server outside the firewall receives a request from a client and forwards it to the multiplexer. The multiplexer dequeues the previously queued request message and creates a response message containing the client request. The response message, including the client request, is then sent to the connection manager.
The connection manager removes the client request from the response message and sends it to a protected application, or back-end, for processing. When the processing has been completed, the connection manager sends the back-end response to the multiplexer in another request message. The multiplexer removes the response from the request message and passes the response to the outside server for sending to the requesting client.
As a result of this process, all packets passing through the firewall originate behind the firewall or are responses to packets originating behind the firewall.